[Jool-list] Getting NAT64 to work with systemd-nspawn containers connected with ipvlan.

Sun Dec 17 16:51:52 CST 2023

Also, I am not able to get jool compiled for my kernel at this time; I am
dependant on a recent kernel, as I am using/testing bcachefs:

/sbin/dkms install jool-4.1.7/
Sign command: /lib/modules/6.7.0-rc4-bcachefs-kvm/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for
MOK...
Creating symlink /var/lib/dkms/jool/4.1.7/source -> /usr/src/jool-4.1.7

Building module:
Cleaning build area...
make -j3 KERNELRELEASE=6.7.0-rc4-bcachefs-kvm -C
/lib/modules/6.7.0-rc4-bcachefs-kvm/build
M=/var/lib/dkms/jool/4.1.7/build/src/mod/common modules && make -C
/lib/modules/6.7.0-rc4-bcachefs-kvm/build
M=/var/lib/dkms/jool/4.1.7/build/src/mod/nat64 modules && make -C
/lib/modules/6.7.0-rc4-bcachefs-kvm/build
M=/var/lib/dkms/jool/4.1.7/build/src/mod/siit modules.....(bad exit status:
2)
Error! Bad return status for module build on kernel: 6.7.0-rc4-bcachefs-kvm
(x86_64)
Consult /var/lib/dkms/jool/4.1.7/build/make.log for more information.
root at potnia:/usr/local/src/unpacked# less
/var/lib/dkms/jool/4.1.7/build/make.log

On Sun, Dec 17, 2023 at 2:08 PM Rob Ert <ertr3960 at gmail.com> wrote:

> Hello all,
>
> I need IPv4 connectivity for my particular ipvlan server setup, and would
> like to implement it with NAT64.
>
> Following are the specifics of my server setup:
>
> Hetzner VM (kvm based - one IPv4 and a /64 IPv6 subnet) with:
>
> multiple IPv6-only systemd-nspawn containerized machine instances
> connected over ipvlan – host and guest systems are all Debian Trixie.
>
> The specifics of ipvlan are given here:
>
> https://people.netfilter.org/pablo/netdev0.1/papers/IPVLAN-The-beginning.pdf
>
> with the main point being (paraphrasing the original article):
>
> Traffic to and from the host master device (defaultns) cannot be sent to
> and
> from slaves.  This can be worked-around by assigning one of the virtual
> devices
> to the host and eliminating the configuration on the master interface.
>
> ~# cat /etc/systemd/network/10-enp1s0.network
> [Match]
> Name=en*
> [Network]
> DHCP=no
> LinkLocalAddressing=no
> KeepConfiguration=yes
> IPVLAN=iv-0
>
> ~# cat /etc/systemd/network/20-iv-0.network
> [Match]
> Name=iv-0
> [Network]
> DHCP=ipv4
> Address=2a01:4ff:xxxx:xxxx::1/64
> DNS=2a01:4ff:xxxx:xxxx::1
> Gateway=fe80::1
>
> ~# cat /etc/systemd/nspawn/container.nspawn
> [Exec]
> PrivateUsers=off
> Timezone=off
> [Network]
> IPVLAN=enp1s0
> ~#
>
> I have this setup and working nicely with WireGuard and Unbound/DNS64; I
> am able
> to access the wider Internet and the containerized machines over IPv6,
> utilizing the
> VM’s IPv6 connectivity, with my IPv4-only Internet connection.
>
> What I need now, is for the IPv6-only systemd-nspawn containerized machine
> instances
> connected over ipvlan to be able access IPv4-only hosts (e.g. github.com).
>
> I wasn’t able to get NAT64 working with my particular setup and my first
> tries with tayga;
> ping -6 github.com works on the host, but not on the IPv6-only
> containers, as they don’t
> automatically have access to the host's nat64 tun device among other
> things.  Is there any
> chance jool would be easier to get working with this particular setup?
>
> Any pointer would be much appreciated.
>
> Best regards,
>
> Rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20231217/54424096/attachment-0001.htm>